New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Splitting /64 in 2x /65
I'm running a OpenVPN server on which I want to add IPv6 tunneling support. My VPS provider provides me a static /64.
The idea is to give the main interface the first /65 and to OpenVPN the second /65.
I tried to add a IPv6 address from the first /65 to eth0 but it's failing to connect to the internet, here to commands I did:
# I have xxxx:xxxx:xxxx:xxxx::/64 ifconfig eth0 inet6 add xxxx:xxxx:xxxx:xxxx::/65 route -A inet6 add ::/0 dev eth0
When I try to ping:
ping6 google.com PING google.com(wm-in-x8b.1e100.net) 56 data bytes From wm-in-x8b.1e100.net icmp_seq=1 Destination unreachable: Address unreachable
I've noticed that the neighbor discovery fails:
sudo ip -6 neigh 2a00:1450:400c:c09::8b dev eth0 FAILED fe80::768e:f8ff:fea3:8cc1 dev eth0 lladdr mac:address:x:x:x:x router STALE
I'm not very practical with IPv6, what can I do?
Comments
This tells the OS you have the whole internet directly connected to the same LAN as your eth0...
Or maybe you actually use a gateway to reach it, via which you need to set up the default route?
But actually that's only the first of many WTFs, e.g. you could describe what are you trying to achieve by using /65s, hint, SLAAC will not work on anything less than /64 already, so you might as well not bother with the weird single-bit math and just go with a /112 for the VPN, etc.
I was following Nyr guide to add IPv6 support to OpenVPN using tunnelbroker (https://wiki.nyr.es/ipv6_tunnel_broker_openvpn_openvz). As my provider provides me a /64 I wanted to use that instead of tunnelbroker. But if I assign the whole /64 to OpenVPN I won't have any address to use on eth0 to reach the internet.
So I tried to do what's written here https://community.openvpn.net/openvpn/wiki/IPv6#SplittingasingleroutableIPv6netblock : "For an OpenVPN setup, this address space can be broken in 2, /65-prefix parts, the first being assigned to the physical network interface, and the second to the VPN. Warning operating netblocks smaller than /64 might break some network features. "
RA requires at least /64.
I realize I was doing it totally wrong, I've now assigned the /64 to eth0 and added the fe80 gateway. IPv6 works from the host. For OpenVPN I've assigned a /112 from the /64 range. When I connect with the VPN client I can reach the host but I can't reach the internet. net.ipv6.conf.all.forwarding is enabled.
have you added route to OpenVPN interface ?
Default route from the client pointing to the VPN server interface IP?
Got it fully working now, had to enable net.ipv6.conf.all.proxy_ndp and add neigh proxy for the client IP on eth0.
Yes that is the trick with those non-routed IPv6 ranges, as an alternative you could take a look at https://github.com/DanielAdolfsson/ndppd which can in effect turn that /112 into a "routed" one, by automatically NDP-replying to any IP from it.